Neiman Marcus Continued Struggling with Data Breaches, Documents Show

Dallas-based retailer Neiman Marcus has had at least two data breaches in the last two years, documents show. (Image via Dfwcre8tive)

Neiman Marcus may have recently settled a $1.6 million class-action lawsuit regarding its 2013 data breach, but its cybersecurity issues didn’t end there. The Dallas-based retailer has had at least two other data breaches since 2013, with the most recent hitting earlier this year.

On or about Dec. 26, 2015, hackers obtained customers’ full payment card numbers and expiration dates, as well as customers’ names, contact information, email addresses, and purchase history, according to documents filed with the California Attorney General. Then, on or about Jan. 17 of this year, hackers accessed customers’ names, basic contact information, email addresses, purchases history, “but only the last four digits of payment information,” the documents say.

In both cases, however, the company sent notifications of the breaches to affected customers, which the retailer identified as InCircle loyalty members or online shoppers. The notification says that, in both instances, “unauthorized individuals began attempting to access our InCircle, Neiman Marcus, Bergdorf Goodman, Last Call, CUSP, and Horchow websites (collectively the ‘NMG websites’) by trying various login and password combinations using automated attacks.”

The notification goes on to say that hackers also were able to access InCircle gift card numbers as well as their “Circle Level,” which determines customers’ benefits based on how much they spend at the retailer. Neiman’s stated that “all indications” show that the InCircle and Neiman Marcus Group’s database of email addresses and passwords are safe, and that the company’s “cyber defenses repelled the majority of the attacks.”

In response to the two attacks, Neiman Marcus offered affected customers one year of MyIDCare, a theft protection service offered through ID Experts. The service includes credit and cyberscan monitoring, a $1 million insurance reimbursement policy, educational materials, and fully managed ID theft recovery services. The deadline to apply for the services was July 12. The retailer has also required a password reset for all affected online accounts.

The data breaches followed the 2013 attack, which exposed the credit card data of thousands of customers. A class action lawsuit claimed that 350,000 customers were affected by that breach. Neiman Marcus said the number was only 9,200. In March of this year, Neiman Marcus agreed to pay $1.6 million. As part of the settlement, it also agreed to appoint a chief security information officer, create an information security unit, and to increase the frequency and depth of cybersecurity reporting to executives and its board, among other new security measures.

Neiman Marcus did not have a CISO during the time of the 2013 attack. But about 10 months after the breach, it hired Sarah Hendrickson, who served in that role until exiting in June this year. The company did not cite reasons for her departure but did say it was working to replace her.